Re: [Assp-test] fixes in assp 2.4.6 build 15312
:: On Mon, 9 Nov 2015 12:36:00 +0100 :: <20151109123600.3...@gmx.net> :: Grayhatwrote: > No, ok, seriously, sounds like Thomas fixed it with #15313; as for the > feature, the idea is to attempt protecting the mail system from bots > attempting to abuse stolen credentials to pump out spam; ASSP already > has a rate limiter which helps detecting "mass mailing", slowing them > down and alerting the admin but, till now, ASSP had no way to deal > with a flock of bots with a bunch of different IPs authenticating > using some stolen credentials and sending (say) 1 or 2 messages each; > both issues can now be taken care of using the new feature :) hmmm... maybe I'm wrong, but after a quick eyeball at the code it sounds like the "$AUTHUserIPfrequency" only works with *FAILED* auth attempts while, to be effective it should work with *successful* ones so that, if a given user account gets successful authentication from a number of different IPs in less than a given time T, then we could assume that the account got compromised and is being abused by bots, but the above makes sense only if the check is performed on *valid* auth not on errors -- Presto, an open source distributed SQL query engine for big data, initially developed by Facebook, enables you to easily query your data on Hadoop in a more interactive manner. Teradata is also now providing full enterprise support for Presto. Download a free open source copy now. http://pubads.g.doubleclick.net/gampad/clk?id=250295911=/4140 ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] fixes in assp 2.4.6 build 15312
>sounds like the "$AUTHUserIPfrequency" only works with *FAILED* auth attempts No - the frequency is checked after the user name is known. Thomas Von:Grayhat <gray...@gmx.net> An: assp-test@lists.sourceforge.net Datum: 09.11.2015 16:57 Betreff: Re: [Assp-test] fixes in assp 2.4.6 build 15312 :: On Mon, 9 Nov 2015 12:36:00 +0100 :: <20151109123600.3...@gmx.net> :: Grayhat <gray...@gmx.net> wrote: > No, ok, seriously, sounds like Thomas fixed it with #15313; as for the > feature, the idea is to attempt protecting the mail system from bots > attempting to abuse stolen credentials to pump out spam; ASSP already > has a rate limiter which helps detecting "mass mailing", slowing them > down and alerting the admin but, till now, ASSP had no way to deal > with a flock of bots with a bunch of different IPs authenticating > using some stolen credentials and sending (say) 1 or 2 messages each; > both issues can now be taken care of using the new feature :) hmmm... maybe I'm wrong, but after a quick eyeball at the code it sounds like the "$AUTHUserIPfrequency" only works with *FAILED* auth attempts while, to be effective it should work with *successful* ones so that, if a given user account gets successful authentication from a number of different IPs in less than a given time T, then we could assume that the account got compromised and is being abused by bots, but the above makes sense only if the check is performed on *valid* auth not on errors -- Presto, an open source distributed SQL query engine for big data, initially developed by Facebook, enables you to easily query your data on Hadoop in a more interactive manner. Teradata is also now providing full enterprise support for Presto. Download a free open source copy now. http://pubads.g.doubleclick.net/gampad/clk?id=250295911=/4140 ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test DISCLAIMER: *** This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! *** -- ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] fixes in assp 2.4.6 build 15312
:: On Sun, 8 Nov 2015 12:09:34 -0500 :::: Scott MacLean wrote: > This sounds like a great feature, but as soon as I turned it on (I > used 3 600), EVERY user attempting to send email, even those > connecting for the first time (including myself) were blocked with a > 4.7.1, and subsequent attempts got them added to PBBlack as well. I > had to turn it off and clean out recent entries to PBBlack to get > things back on track. well, at least it works, doesn't it :D ? No, ok, seriously, sounds like Thomas fixed it with #15313; as for the feature, the idea is to attempt protecting the mail system from bots attempting to abuse stolen credentials to pump out spam; ASSP already has a rate limiter which helps detecting "mass mailing", slowing them down and alerting the admin but, till now, ASSP had no way to deal with a flock of bots with a bunch of different IPs authenticating using some stolen credentials and sending (say) 1 or 2 messages each; both issues can now be taken care of using the new feature :) -- Presto, an open source distributed SQL query engine for big data, initially developed by Facebook, enables you to easily query your data on Hadoop in a more interactive manner. Teradata is also now providing full enterprise support for Presto. Download a free open source copy now. http://pubads.g.doubleclick.net/gampad/clk?id=250295911=/4140 ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] fixes in assp 2.4.6 build 15312
:: On Mon, 9 Nov 2015 12:36:00 +0100 :: <20151109123600.3...@gmx.net> :: Grayhatwrote: > No, ok, seriously, sounds like Thomas fixed it with #15313; as for the > feature, the idea is to attempt protecting the mail system from bots > attempting to abuse stolen credentials to pump out spam; ASSP already > has a rate limiter which helps detecting "mass mailing", slowing them > down and alerting the admin but, till now, ASSP had no way to deal > with a flock of bots with a bunch of different IPs authenticating > using some stolen credentials and sending (say) 1 or 2 messages each; > both issues can now be taken care of using the new feature :) forgot, as for the notify, one may want to add the following to the "NotifyRe" warning: too many recipients too many authentication attempts to get notifications for both the rate limiter *and* the new auth IP checker, this could allow mail admins to be quickly alerted about possible outbound spamruns and/or compromised accounts -- Presto, an open source distributed SQL query engine for big data, initially developed by Facebook, enables you to easily query your data on Hadoop in a more interactive manner. Teradata is also now providing full enterprise support for Presto. Download a free open source copy now. http://pubads.g.doubleclick.net/gampad/clk?id=250295911=/4140 ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] fixes in assp 2.4.6 build 15312
On 11/8/2015 3:06 AM, Thomas Eckardt wrote: > added: > > 'AUTHUserIPfrequency','Max IP Changes for AUTHentication per User' > If the authentication methodes PLAIN or LOGIN are used by clients, two > space separated values specify the > number of different IP's and a timeframe in seconds, which should not be > exeeded by a user. > For example "2 600" - notice these are the minimum values for IP-number > and seconds. > The example disallows a user to authenticate (using PLAIN or LOGIN) from > two or more different IP-addresses within > 600 seconds. In other words - an user is allowed to authenticate from > another IP-address, 601 seconds after > the last authentication. > Each attempt to authenticate is counted by this feature. > MaxAUTHErrors is counted, if a user breakes this rule. > Leave this blank to disable this feature. This sounds like a great feature, but as soon as I turned it on (I used 3 600), EVERY user attempting to send email, even those connecting for the first time (including myself) were blocked with a 4.7.1, and subsequent attempts got them added to PBBlack as well. I had to turn it off and clean out recent entries to PBBlack to get things back on track. Here's what I got the very first time I tried to send an email after I turned the feature on, when DB-AUTHIP was still empty: Nov-08-15 11:48:29 [Worker_1] Worker_1 wakes up Nov-08-15 11:48:29 [Worker_1] Info: Worker_1 got connection from MainThread Nov-08-15 11:48:29 [Main_Thread] Info: Main_Thread freed by idle Worker_1 in 0.083 seconds - got (ok) Nov-08-15 11:48:29 [Worker_1] Info: try to connect to server at 127.0.0.1:1027 Nov-08-15 11:48:29 [Worker_1] Info: connected to server at 127.0.0.1:1027 Nov-08-15 11:48:29 [Worker_1] Connected: session:F91E41C {my IP address}:58712 > 216.227.137.26:465 > 127.0.0.1:61433 > 127.0.0.1:1027 , 24-36 Nov-08-15 11:48:29 [Main_Thread] IP 127.0.0.1 matches allowStatConnectionsFrom - with 127.0.0.1/32 Nov-08-15 11:48:29 [Worker_1] [SSL-in] {my IP address} info: authentication - plain is used Nov-08-15 11:48:29 [Worker_1] [SSL-in] {my IP address} [SMTP Error] 521 mail.netbound.com does not accept mail - closing transmission - you are not alloed to authenticate from IP {my IP address} Nov-08-15 11:48:29 [Worker_1] [SSL-in] [AUTHUserIP] {my IP address} too many authentication attempts for user 'myusern...@hollsco.com' from different IP's Nov-08-15 11:48:29 [Worker_1] [SSL-in] {my IP address} Message-Score: added 60 (autValencePB) for AUTHErrors, total score for this message is now 60 Nov-08-15 11:48:29 [Worker_1] [SSL-in] {my IP address} info: PB-IP-Score for '{my IP address}' is 60, added 60 in this session Nov-08-15 11:48:29 [Worker_1] Disconnected: session:F91E41C {my IP address} - command list was 'EHLO,AUTH' - used 2 SocketCalls - processing time 0 seconds Nov-08-15 11:48:29 [Worker_1] Worker_1 will sleep now -- ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] fixes in assp 2.4.6 build 15312
I'm sorry, there is a typo in the code - used '>' instead of '<'. Thomas Von:Scott MacLean <a...@hollsco.com> An: assp-test@lists.sourceforge.net Datum: 08.11.2015 18:10 Betreff: Re: [Assp-test] fixes in assp 2.4.6 build 15312 On 11/8/2015 3:06 AM, Thomas Eckardt wrote: > added: > > 'AUTHUserIPfrequency','Max IP Changes for AUTHentication per User' > If the authentication methodes PLAIN or LOGIN are used by clients, two > space separated values specify the > number of different IP's and a timeframe in seconds, which should not be > exeeded by a user. > For example "2 600" - notice these are the minimum values for IP-number > and seconds. > The example disallows a user to authenticate (using PLAIN or LOGIN) from > two or more different IP-addresses within > 600 seconds. In other words - an user is allowed to authenticate from > another IP-address, 601 seconds after > the last authentication. > Each attempt to authenticate is counted by this feature. > MaxAUTHErrors is counted, if a user breakes this rule. > Leave this blank to disable this feature. This sounds like a great feature, but as soon as I turned it on (I used 3 600), EVERY user attempting to send email, even those connecting for the first time (including myself) were blocked with a 4.7.1, and subsequent attempts got them added to PBBlack as well. I had to turn it off and clean out recent entries to PBBlack to get things back on track. Here's what I got the very first time I tried to send an email after I turned the feature on, when DB-AUTHIP was still empty: Nov-08-15 11:48:29 [Worker_1] Worker_1 wakes up Nov-08-15 11:48:29 [Worker_1] Info: Worker_1 got connection from MainThread Nov-08-15 11:48:29 [Main_Thread] Info: Main_Thread freed by idle Worker_1 in 0.083 seconds - got (ok) Nov-08-15 11:48:29 [Worker_1] Info: try to connect to server at 127.0.0.1:1027 Nov-08-15 11:48:29 [Worker_1] Info: connected to server at 127.0.0.1:1027 Nov-08-15 11:48:29 [Worker_1] Connected: session:F91E41C {my IP address}:58712 > 216.227.137.26:465 > 127.0.0.1:61433 > 127.0.0.1:1027 , 24-36 Nov-08-15 11:48:29 [Main_Thread] IP 127.0.0.1 matches allowStatConnectionsFrom - with 127.0.0.1/32 Nov-08-15 11:48:29 [Worker_1] [SSL-in] {my IP address} info: authentication - plain is used Nov-08-15 11:48:29 [Worker_1] [SSL-in] {my IP address} [SMTP Error] 521 mail.netbound.com does not accept mail - closing transmission - you are not alloed to authenticate from IP {my IP address} Nov-08-15 11:48:29 [Worker_1] [SSL-in] [AUTHUserIP] {my IP address} too many authentication attempts for user 'myusern...@hollsco.com' from different IP's Nov-08-15 11:48:29 [Worker_1] [SSL-in] {my IP address} Message-Score: added 60 (autValencePB) for AUTHErrors, total score for this message is now 60 Nov-08-15 11:48:29 [Worker_1] [SSL-in] {my IP address} info: PB-IP-Score for '{my IP address}' is 60, added 60 in this session Nov-08-15 11:48:29 [Worker_1] Disconnected: session:F91E41C {my IP address} - command list was 'EHLO,AUTH' - used 2 SocketCalls - processing time 0 seconds Nov-08-15 11:48:29 [Worker_1] Worker_1 will sleep now -- ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test DISCLAIMER: *** This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! *** -- Presto, an open source distributed SQL query engine for big data, initially developed by Facebook, enables you to easily query your data on Hadoop in a more interactive manner. Teradata is also now providing full enterprise support for Presto. Download a free open source copy now. http://pubads.g.doubleclick.net/gampad/clk?id=250295911=/4140___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
[Assp-test] fixes in assp 2.4.6 build 15312
Hi all, fixed in assp 2.4.6 build 15312: - if a charcterset conversion setting was changed, the old settings were internaly not removed until the next (re)start of assp - disabling the authentication was no longer working in build 15303 - it was possible, that a SSL-connection passed through the transparent proxy (proxyConf) lost data or were unexpected disconnected, because of a too short socket buffer changed: - the RWL handling is improved (better logging, better handling of list.dnswl.org results) added: 'AUTHUserIPfrequency','Max IP Changes for AUTHentication per User' If the authentication methodes PLAIN or LOGIN are used by clients, two space separated values specify the number of different IP's and a timeframe in seconds, which should not be exeeded by a user. For example "2 600" - notice these are the minimum values for IP-number and seconds. The example disallows a user to authenticate (using PLAIN or LOGIN) from two or more different IP-addresses within 600 seconds. In other words - an user is allowed to authenticate from another IP-address, 601 seconds after the last authentication. Each attempt to authenticate is counted by this feature. MaxAUTHErrors is counted, if a user breakes this rule. Leave this blank to disable this feature. 'transparentRecipients','Mails to these Recipients are Handled in Transparent-PROXY Mode*' Mails to any of these recipients or domains are handled transparent immediatly after a possible SRS check, BATV processing, Recipient-Replacement, RFC822 checks, ORCPT check and a feature match is found in the currently processed "RCPT TO:" SMTP command (envelope recipient). NOTICE: If a connection is moved in to the transparent proxy mode, this connection will stay in this mode until "MAIL FROM:" or "RSET" is used or the connection is closed by any peer. What means "transparent handled" ? ASSP acts like a transparent Proxy. No filter actions are taken for the mail. Nothing is analyzed. Nothing is verfied. Nothing is stored. Nothing is logged (except reply codes if configured) - only debugging will work. You can list specific addresses (u...@mydomain.com), addresses at any local domain (user), or entire domains (@mydomain.com). Wildcards are supported (fribo*@domain.com). (|). For example: fr...@thisdomain.com|jhanna|@sillyguys.org or place them in a plain ASCII file one address per line - file:files/transparentuser.txt. Thomas DISCLAIMER: *** This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! *** -- ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test